Monday, October 24, 2016

The "oral history" of GIAC

A couple days ago press@sans received a note asking for some information. Apparently, a professor is writing a book about the origins of cybersecurity and wanted an oral history. Apparently, some of them get added to the Charles Babbage Institute, here is an example with Lance Hoffman. So, I took a crack at it as shown below.

In 1981 I graduated from Mary Washington with a BA in Geography, (cartography and air photo interpretation), and was hired by Defense Mapping Agency, DMATC, (now NGA). They were just converting from manual processes to Computer Aided Design, (CAD). The terminals were powered by DEC PDP 11/70s. I was working the evening shift, essentially 4 - 11 PM. The facility was on the Potomac river gorge, (Brookmont, (Bethesda), Maryland), and in June, we had a thunderstorm almost every day and we were required to shut the systems down and unplug them; they even had a thunderstorm code to charge our time to. There was no IT department for technical support in the evenings, so during the thunderstorms I started reading the manuals and even started coding in RSX-11M. The path to being a technical GS-12 involved getting a masters degree in geodetic engineering from Virginia Tech. So I started taking courses at Telestar Court in Falls Church. One of the required courses was data structures in Fortran, my first computer course with punch cards on an IBM 360 mainframe. I loved it. I quickly took all the computer courses. When I signed up for one as my elective, the topography department head denied it. He said, "You have taken enough computer courses". I updated my resume, (forget what they called the form back then), and got an appointment with the computer department head. He read my paperwork, looked up and said, "Do you have any experience with small computers?" "Well sir, I am the president of the Fredericksburg Commodore 64 club", I replied. I was hired, I became a computer guy and have never looked back; who would want to do anything else?

In 1997, my primary security focus was network intrusion detection. By coincidence I met Alan Paller there, who asked me if I could speak on a technical topic, so we talked about intrusion detection. In the center of the room was Marcus Ranum, I was a bit intimidated.  He didn't slaughter me and later, when Marcus was with NFR I helped Kent Landfield extend the NFR N language to support intrusion detection patterns. Now I was writing for two different IDSes and was beginning to realize that if you knew cybersecurity from an architecture perspective, you could apply it to multiple implementations.

In 1999, I agreed to write a book on cyber security intrusion detection, (link is 3rd edition, couldn't find first). I worked on it on the commuter train up to the Pentagon from Fredericksburg VA and then on the way home. After supper, I would retire into my office and write till about 10 PM. Every couple of weeks, I received a call from Alan Paller. He wanted to do something to “prove people could do the job” in cybersecurity. I was pounding on the keyboard and he would tell me he hired, this famous person and they could do it, then a few weeks later, he would call and say it did not work out. I liked Alan and would have loved to help him, but that wasn’t my mission, the book was my mission . . . until two things happened.

First, even though I had moved to the Pentagon for missile defense, I was still working with the Navy Laboratory at Dahlgren Virginia. I used some of my training dollars to send two of the Shadow IDS team members to the USENIX 99 conference in Monterey. I was there as well. The talk I had chosen was boring, so I drifted into some of the other talks. I did not see my people. I wandered through the Portola, (then Doubletree) hotel and conference center, did not see them. Finally I ended up on a deck overlooking the bay and saw them. They were in sea kayaks. That hurt; I had limited training resources. And it hit me. Mr. Paller’s idea could also tell an employer that spent training money on someone whether they actually mastered the subject matter. I still was not totally invested, but was becoming interested in the idea of proving someone could “do the job”.
NOTE: this conference was also what got me thinking about the flawed structure of "technical conferences", 1 and 2 hour talks leading to more depth at ShadowCon and later the track system at SANS.

Second, back at work at the Pentagon, I found out my IDS contractor had resigned to be part of a startup with the Enterasys Dragon IDS. Our prime contractor handed me a stack of resumes. One looked really good, lots of experience, remarkable, because in 1999 intrusion detection was in its infancy. So, I told the prime to bring him on board. His first day on the job, I wanted to bring up a RealSecure IDS on one of our new facilities. So, I handed him the disk and told him to load the maximum signature set. I came back a few hours later and it was not running. All you had to do was load the disk, agree with the Microsoft install wizard, next, next, next, choose the signature set and you should be up and running. Long story short, his resume was bogus, I don’t even know how he managed to write it. Mr. Paller’s vision was starting to make a lot of sense to me at this point; I called Alan and told him I was in.

Alan, came down to visit the Shadow team at Dahlgren and we spent some time on the whiteboard. Security was getting more complex, even in 1999 there wasn’t such a thing as a “security guy”. Instead, there was a firewall/perimeter expert, IDS expert, Windows OS, Unix OS, forensicator and so forth. To prove someone could “do the job”, we would have to define the job. Then break it down into knowledge elements, knowledge, skills and abilities, (KSAs). 
NOTE: as GIAC came to be, KSAs morphed into ICF, (important, critical and frequent) values.

As 1999 drew to a close, the white house security council requested my participation in Y2K in the event cyber attacks were going to happen. My boss at the Pentagon didn’t like it, but couldn’t really say no, so I reported to the Gerald Ford House Office Building to set up shop. It was a terrible experience. The FBI wanted to be in charge, the US CERT wanted to be in charge, the GSA point of contact was really mean. I was just a techie, unprepared for the worst of government politics and turf battles. Mr. Paller was kind enough to take over on site and I did all the work remotely including setting up multiple global response centers counting on Richard Bejtlich, Arrigo Triulzi and other analysts. I had been a happy government employee till that event, but I was done and SANS was kind enough to hire me. I resigned from missile defense January 5, 2000.

For the next year, I focused on gathering knowledge about the security skills and figuring out how to teach and test it. Eventually we settled on the name and idea of GIAC, (we had created the brand earlier as the Global Incident Analysis Center, later,, now known as the Internet Storm Center), and rebranded as the Global Information Assurance Certification. The early days were rather crude, essentially two guys and a dog writing test questions, but we focused on continuous process improvement. 

We all know the events of 9/11/2001, but what most people don’t know is that it spilled over into cybersecurity, probably in part due to the Code Red worm two months earlier. All of a sudden, we were facing enormous demand for our training and attempts at certification; every class was sold out. Capacity was maxed out. A SANS employee, Zoe Dias, spent weeks figuring out how to increase capacity by a factor of 10, she would wake up in middle of the night as ideas came to her and she continued to chip away at the logistics problems. Her work resulted in the distribution system we depend on today.

In 2002, the industry was realizing there was a lack of provable security skills. Steve Katz, CISO CitiCorp, had done a briefing on the topic that got picked up by the press. Eventually, GIAC was lucky enough to hire an engineer named Jeff Frisk and he cared enough and was detail oriented enough to help GIAC become what it is today.

Search Engine Optimization and Security Certifications

10/24/16 I typed "security certification" into Google using the Firefox browser. Observations:
363M results
6 paid ads: ISACA, CTC.EDU, ASIS, Denimgroup, Cybervista, (I had never heard of most of these before)
Top organic hit is Comptia Security +.  NOTE: Security + is mentioned 4 times on page 1 Google
Top article: "Darkreading's 10 Security certifications to boost your career"  They list the GSEC first.
0 mention of GIAC on page 1 of Google results

Initial recommendations:
1) Do not pay for ads, it is a crowded field so it will cost money and yield minimal results
2) Create a short list of distinctives, suggested examples:

  • GSE, most advanced cybersecurity certification, this is halfway down the page for search term GSE.
  • GIAC Advisory Board, best home field advantage in the industry, (my blogpost was 2nd hit)
  • Cybersecurity skill specific certification, that Google search term does not mention GIAC and ISACA is second organic hit, "ISACA is First to Combine Skills-based Cybersecurity Training with Performance-based Exams and Certifications to Address Global Cyber Talent Shortage"
  • ETC, ETC
2A) Build content for your desired distinctives linking back to GIAC. I am modeling that behavior in this blogpost, (note that I am not linking to "the other guys).
3) For each GIAC certification, type the search term into Google. For instance for the search term "GPEN" the first hit is a vaporizer. Build an article about the certification that links to the appropriate cert page.

Wednesday, October 5, 2016

What is a cybersecurity architect, (and how to hire one)

According to the Burning Glass report titled Job Market Intelligence: Cybersecurity Jobs, 2015, 5% of all cybersecurity job postings are for a job title of Security Architect. Unfortunately, the industry is still unclear as to exactly what an IT Security Architect is. According to Payscale, the median compensation is $114,000/year, (which sounds a bit low). The concept is, however, starting to mature. Certifications are being developed for IT Security Architects, and training courses are offered by various organizations to help prepare one to be a Security Architect. The (ISC)2 organization has created an ISSAP (Information Systems Security Architecture Professional) certification. The SABSA organization offers a set of integrated frameworks, models, methods, and processes, used independently or as an integrated enterprise solution. listed a job description for a Senior Security Architect, that lists the following skills:"Network Security, Network Hardware Configuration, Network Protocols, Networking Standards, Supervision, Conceptual Skills, Decision Making, Informing Others, Functional and Technical Skills, Dependability, Information Security Policies".

 The TOGAF, (open architecture), certification has to do with thinking like an architect. A security architect needs to be able to function as a general systems architect for the enterprise. Without the big picture, it’s hard to provide big security solutions.

A security architect should have the ability to conduct "as is" process gap analysis, (where are we now, where do we need to be, how to get there). They generate technical implementation and management prioritized guidance that includes evaluation tests and metrics such as those identified in the CCS/CIS Critical Security Controls. The implementation is a cooperative effort between business management and the Security Architect who brings needed experience, expertise, and consultation to the decision-making process.

Engineer and Architect compared

Architects know what needs to be done to get you to end goal, engineers know how to do details of next tactical step in the project.

Architects tend to think in concepts; defense-in-depth, least privilege, breaking the exploit kill chain.  Engineers tend to think in products; Firewalls, IPS, Anti-malware, file integrity monitoring, DLP, etc.

Architects worry about how the ecosystem works together, engineers worry about how to keep things running and working.

An engineer can tell you how to design your network. An architect can tell you why it should be designed that way, and will be able to suggest changes based on your specific needs.

An engineer can tell you which protocols companies should use for discrete tasks. An architect can explain why those protocols make the most sense, and can usually detail the previous state of the art.

Architects want to know exploit vectors and what intellectual property was exfiltrated from the company, engineers want to collect evidence and remediate.

Architects think vulnerability management, engineers think patching, hardening and scanning.

Architects think big picture and are good presenters and salesmen of security ideas to upper management, engineers are where the rubber meets the road, (the real problem solvers in the trenches).

You have to have both, most security professionals function better on one side or the other, nothing is worse than having an architect that only wants to engineer or an engineer who only wants to architect.  However, many companies struggle because they ask a single person to do both and then are frustrated that that person has a weak spot on one side or the other. 

The key attributes of an architect in order of importance:

  • Analyze the business operations of the organization and map them to data flows between the information processing zones within, as well as to and from, the organization.
  • Design a security solution which suits the risk appetite and the real threats the enterprise faces. They use the basic classes of cybersecurity tools available, such as perimeter protection, detection, OS protection, identity management and SIEM style information correlation to implement defense in depth at choke, or control points, of the enterprise.
  • Understand the "big picture" in terms of all IT systems, if you don't securing them is impossible. In critical infrastructure organizations, understanding the physical security controls is crucial and architects may be "dual hatted", cybersecurity/physical security.

Ideal persons to help interview a candidate for an architect position include: the IT manager, (such as CIO), security manager, (or CISO), network manager, (or senior network analyst), systems manager, (or senior systems administrator), applications manager, (or senior software developer with a cybersecurity interest).

Interviewing an engineer for a network architecture position

We interviewed a number of GIAC Advisory Board members who have been working as architects for major enterprises as to what they look for an architecture position. They recommend that you be careful about giving candidates a real world problem (even pretending it is 'made up') as this could be dangerous to a company either from a PR or security perspective if it got posted on the Internet in some way. There are a number of practical assignments defining a mythical company called "GIAC Enterprises". If you Google that term you can get some scenarios to use for the exercise. Here are some questions they recommend asking:

Do you have a home network setup? Please describe it to me.

When designing an architect/infrastructure for security we have to be at least "aware" of the various protocols/technologies used within Corporate America. Please tell me a bit about:
  • Equal cost paths for egress traffic
  • High Availability Design issues
  • Packet shaping
  • The role of the network in compliance
  • What ideas do you have to improve our DR/BCP
Please tell me a bit about each of the technologies below and when and why you might use them:
  • OSPF
  • MPLS
  • RIP
  • GRE
  • IPv6
  • Proxy ARP
  • Static routing

Give them just the hex of an IPv4 packet or a DHCPv6 trace and ask them to tell you what is going on. They don't have to be packet ninjas, but they should know what is going on. We teach managers to do this with prospective employees, (in the course we author and teach, Management 512).

Interviewing an engineer for a security architecture position

  • What threats do you perceive in this company's environment?
  • What are the assets and/or business processes (5 maximum) you think are the most critical ones for the organization?
  • What assets do you think are the most exposed?
  • Identify the weakest links in the system as a whole (Networks, Systems, Applications, Data, Users).What basic access controls would you design into the network (relevant to my business)
  • What if any IH procedures would you put into place regarding the network.
  • If you were an attacker, what would you be after?
  • If you were an attacker what would your business model be? That is, how can an attacker make money by attacking us.
  • If you were an attacker, how would you go about penetrating us?
  • What architectural solutions (Protection, Detection and Reaction) would you propose for the different components (Networks, Systems, Applications, Data, Users) to address the threats and mitigate the risks?
  • Draw for me a high level (network) diagram that shows your proposed architectural changes and solutions.
  • Develop an implementation plan for those solutions (short/middle/long) term.
  • Out of the solutions you mentioned, what are the 5 ones that add the greatest value?
  • Show me how would you adapt your solutions and what would you prioritize according to different budgets: $1.000, $10.000 or $100.000
  • What are the solutions that you think would be more difficult to implement (due to technical, budget or cultural reasons)?
  • What policy / cultural changes do you think are needed (if any) for your long-term plan to succeed?
  • Propose a couple of security solutions that would enable this company to improve business by doing something it can't currently do.
More general questions
  • If we are looking more of general purpose architect, consider some of these questions. If our organization wants to field a new ecommerce sites, can you describe a couple different scenarios or approaches to the architecture. What are the primary tradeoffs between architectures? What vendors would you use and why?
  • Get your technical folks to help you identify a real world problem your organization is facing. Can the candidate engineer a "duct-tape" solution to temporarily address the issue. You don't want a candidate that is always relying on spending $$$ to accomplish a task.
  • Please explain a recently announced vulnerability of your choice, and what solutions you would implement to mitigate the threat.
  • Here is a whiteboard and some markers... draw me a diagram, design, or something of your choice using these tools to communicate a concept, architecture, or something of your choice.
  • Tell me about your experience with the open-source movement. What sources do you use to find information on new products related to network monitoring?
  • If there was a network problem, what are the basic steps you would go through to in order to troubleshoot the problem?
  • What architectures, software, or deployment strategies have you used successfully in the past, but would no longer use? Please tell us why.
  • Sell us on yourself. What are your strongest personal assets? What specific attributes would you be bringing into the organization that will make a positive contribution to our overall success?
  • Tell us about an instance when you had to communicate an idea/process/procedure to a customer that you know will be resistant to you. What was your initial approach? Did you have to change your approach? What was the outcome?
  • What approach do you take when you need to learn about a technology? Do you consider yourself a life-long learner? Why?
  • What was the one question we did not ask that you came prepared to answer?
Sample Candidate Profile & Requirements
Candidate has substantial experience researching, authoring, and implementing security configuration standards across multiple platforms. Candidate's experience includes a successful track record of evangelizing standards, managing and/or creating the standards compliance and remediation processes, as well as presenting the value propositions of standards-based security management to senior managers within a Fortune 500 organization, or similar scale environment.

The self-directed individual represents COMPANY as a participant in industry working groups and standards bodies. Candidate's familiarity with security industry standards, working group processes, and content lifecycle management adds great value. Active participation in - or contribution to - OASIS, Liberty Alliance Project, NIST, Center for Internet Security, or other similar open forum working groups and committees demonstrates candidate's ability to advance COMPANY's concerns within the broader security industry.

Candidate is familiar with threats, vulnerabilities, and exposures across diverse systems, and successfully communicates this data in terms of operational risk and business relevance. Candidate brings to COMPANY extensive background creating and executing closed-loop vulnerability management practices, and can leverage such experience in coordinating individuals with competing priorities across multiple departments to mitigate risk.

The ideal candidate has 5-7 years experience in the industry. Familiarity with types of products offered by COMPANY, and the core business processes needed to deliver services, is essential in making security relevant to the lines of business the team supports.

Candidate can demonstrate a proven track record of communicating and working proactively and professionally with internal and external auditors, and other groups responsible for ensuring that an organization is properly protecting the interests of its customers, shareholders, and employees.

Candidate is familiar with software development lifecycle methodologies. Demonstrated experience gathering and documenting business and technical requirements for implementation by internal development teams and/or external vendors shows that candidate can lead others in meeting COMPANY's security requirements.

Candidate must bring extensive experience leading and/or significantly contributing to cross-departmental technology projects. The candidate leverages an understanding of industry-standard project management methodologies, experience with project financial controls, and the ability to communicate the financial justification for security projects to deliver on COMPANY's Information Security Strategy.

Candidate has led, or significantly contributed to, enterprise projects to deliver security information management solutions. Candidate shows experience building an infrastructure to aggregate, deduplicate, and correlate massive streams of security log data; candidate has delivered processes and procedures to triage, analyze, and take action on such information; and candidate has designed management reporting to instrument and continuously improve security information management.

Candidate's significant experience with network security controls such as routers, switches, firewalls, intrusion management solutions, network access control, and related solutions is required when coordinating delivery of holistic security in partnership with COMPANY's Network Engineering group(s). Extensive understanding of network protocols, data flow analysis, and network design and troubleshooting assist the candidate in leading others to successfully deliver a security program.

Candidate's familiarity with application security practices such as secure coding and secure development lifecycle management is required in coordinating with application architecture and development groups, as well as positioning system security in the broader context of COMPANY's information security program.

Skills and background in computer programming are desirable, but not required; however, candidate must demonstrate knowledge of design patterns used in enterprise applications. Understanding of how applications are developed, deployed, and managed is essential to demonstrating that candidate can design security solutions to protect critical assets and data. Familiarity with security principles in Service Oriented Architecture, WS-Security standards, application frameworks (.NET Framework & J2EE/Java EE), and the use of cryptography in applications ensures that the candidate can explain complex issues.

Certification by industry standard certification bodies is encouraged, but not required. SANS/GIAC, ISSAP, or similar certifications will be considered as evidence of candidate's dedication and commitment to demonstrating an objective baseline of skills. However, keep in mind that according to Burning Glass 35% of all security job postings require a certification.

Candidate has 3-5 years experience designing, implementing, and measuring closed-loop security management workflow systems. Proven experience integrating security controls into enterprise workflow and incident/problem management systems is paramount in successfully delivering on the goals assigned to this position.


J Michael Butler who was a great help in previous versions
Roland Grefer helped me clean up the writing
Chad Lorenc really beefed up the architect engineer comparison
Thomas Williams TOGAF and the importance of physical security

References: All links valid 10/5/16 unless otherwise noted,_IT/Salary
ISSAP®: Information Systems Security Architecture Professional
SABSA (Sherwood Applied Business Security Architecture)
Information Security Forum (ISF) ***No longer worked when checked December 3, 2012
Department of Defense Architecture Framework (DoDAF). retrieved 10/5/16 (thanks to Chris Holabird)
Department of Defense Architecture Framework (DoDAF) v2 2009

Department of Defense Architecture Framework (DoDAF) v2.02 2015
Zachman Institute for Framework Advancement (ZIFA)
NIST - Managing Risk from Information Systems

Thursday, September 29, 2016

The skills of a cybersecurity technical writer

According to Wikipedia, "Technical writers are professional writers who design, create, maintain and update many types of technical documentation, online help, user guides, white papers, design specifications, and other documents." Technical writers put technical information into easily understandable language. They prepare operating and maintenance manuals, catalogs, parts lists, assembly instructions, sales promotion materials, and project proposals. Many technical writers work with engineers on technical subject matters to prepare written interpretations of engineering and design specifications and other information for a general readership. Technical writers also may serve as part of a team conducting usability studies to help improve the design of a product that still is in the prototype stage. They plan and edit technical materials and oversee the preparation of illustrations, photographs, diagrams, and charts." From our own experience we can expand that to include security policy, security awareness posters, press releases, blog posts, blog post comments and refutations, memos to management on technical issues, executive summaries of reports, technical analysis of news stories, courseware, help files, how-to's, and presentations.

Often, a technical writer must first research the topic they are writing about so strong research skills are also important. This ranges from power searching on Google, to knowing how to leverage expert sites such as the writers write. There are more online resources than ever before, here are a few worth trying:

  • Onelook has a reverse dictionary feature, if you can't think of a word, simply enter its definition and Onelook gives you a list.
  • Wordspy tries to track the new words being used in publications. Such things should be used sparingly, but when you are trying to establish a perception of being "with it" or when targeting a younger crowd, this can be helpful.
  • SANS Reading Room, contains the largest collection of security research papers on the Internet
  • Argumentative Essays, a primer on argumentation (a persuasive research paper)
  • Most colleges and universities provide students with a large number of research tools. As a writer, it may be worth considering taking courses to maintain access, or potentially working part time for an educational institution. For instance, here are the tools available to University of Washington students.
  • Wise Old Sayings is a source for opening statements.
If you are trying to hire a technical writer, expect to see people that want to be paid as much as, or more than system administrators or even software programmers. If you are trying to hire a technical writer, make sure there is an escape clause if things do not work out. Also, the interview process is very important. lists the following as a few questions to ask a potential technical writer:

  • How would you style a document to address a technical audience?
  • Describe your experience with network infrastructures.
  • Have you ever created any online help?
In general, organizations will favor readability and clarity over perfect grammar. In fact, the more technical the material is, the less important the grammar is while the ability to convey the thought to the reader accurately becomes very important. Nevertheless, correct spelling, avoiding the common errors of writing in English and compliance with the organization's style guide is crucial. Some useful web resources:

How do you learn to be a technical writer? There are many programs, but the short answer is that you have to write, a lot, and your work needs to be reviewed by someone qualified to review technical security material. I have written several technical books, but the first book was the most important. I was blessed with a great developmental editor. Later in life, I worked with bad editors it wasn't that much of an issue since I was seasoned by that time, but it really helped me understand how important good review is to the writing process. Before you put your money down to learn to improve your technical writing, be certain that you understand the quality and quantity of review you can expect from the program.

Monday, September 26, 2016

Yahoo Verizon Breach Impact on Future M&A

Executive Summary: Cybersecurity is likely to take another step in developing a quantitative number as to its value to an organization. According to Vanity Fair, Yahoo, a collection of web properties including Flickr and Tumbir), was worth $128B at its peak, was mismanaged, and agreed to be bought for $4.8B. The SEC filing is here. Because it is the largest known data breach in history, (originally reported as 500M, but MarketWatch and BusinessInsider say potentially 1B), it is setting up to become "the mother of" all data breach settlements. Since many people use the same password on multiple systems, one use of the breached data is to brute force the hashes to test on other systems. Threatpost says most of the Yahoo hashes are bcrypt, (potentially expensive to brute force), but a "small percentage" are the outdated, unsafe, MD5.

Recode probably has the most comprehensive inside scoop. Their reporters Kara Swisher and Kurt Wagner are pretty switched on. They report, "In addition, internal sources at Yahoo said the company had been subjected to a number of previous incidents that were not managed swiftly by CEO Marissa Mayer. One executive close to the situation said that former Yahoo information security head Alex Stamos had tried aggressively to get management to act more strongly at the time, but he had not been successful. The well-regarded techie left Yahoo in mid-2015 for a job as chief security officer at Facebook."

Table of contents:
1) What will the financial impact be for Yahoo and Verizon in terms of the merger?
2) What can we expect in terms of Yahoo's stock valuation?
3) What are the general costs of a data breach?
4) What's next for Verizon?
5) Deja Vu. Operation Aurora 2009

1) What will the financial impact be for Yahoo and Verizon in terms of the merger? The $4.8B deal for at least 800M accounts was supposed to close 1qtr 2017. That means we should know fairly soon. Currently experts are divided. 10/26/16 Fast Company posted an inscrutable article about an interview with Verizon executive Marni Walden that seems to imply there isn't a clear direction.

1.1 Some say the merger will be damaged or the price will change:

USA Today, "They (Verizon) are going to get a price discount," said Robert Cattanach, a lawyer who specializes in cybersecurity and data breaches at Washington, D.C. firm Dorsey & Whitney. "I would expect that there will be a fairly sophisticated effort to quantify the materiality of the impact of this breach and there would be some sort and price adjustment."

10/6/16 a story, (based on a NY Post exclusive), broke on USA today that Verizon was asking for a $1B discount.

The Wall Street Journal reports Verizon CEO "Mr. McAdam, speaking at a technology conference in Menlo Park, Calif., on Monday, said he still sees Yahoo as “a real value asset,” but added: “In fairness we are still understanding what was going on and defining whether it was a material impact on the business or not.

CNBC reports Verizon CEO Lowell McAdam saying "he was "not that shocked" about a Yahoo data breach where the information from 500 million users was stolen, saying it was not a matter of if, but when.

10/13/16 The Wall Street Journal reports "[Verizon]General Counsel Craig Silliman said it was “reasonable” to believe that the breach represented a material event that could allow it to change the terms of the takeover. He said it was up to Yahoo to prove the full impact of the data leak and prove it wasn’t material.

“If they believe that it’s not, then they’ll need to show us that,” said Mr. Silliman, who has been leading Verizon’s review of the situation."

10/18/16 Chicago Tribune reports earnings have faltered for four consecutive quarters.  The condensed financial information is here. CNBC points out they did profit and beat analyst consensus. Investorplace believes that since Verizon earnings are pretty flat in the highly competitive wireless marketplace, they need Yahoo and a reduced price would be a bonus. 10/23/16 WSJ reports that AT&T, (also suffering from flat earnings and competition from Sprint and T Mobile) is making an offer for Time Warner.

10/20/16 WSJ reports Verizon is revisiting the deal. Chicago Tribune quotes Verizon CFO Fran Shammo saying "Material Impact".

1.2 One possibility is that it will have no impact on the deal or even the selling price, NY Post reports, "Some experts said it would be hard for Verizon to prove the hacking was a material adverse change — the one surefire legal gambit that could scuttle the deal."

  The NY Times reports, "Brian Quinn, an associate professor at Boston College Law School, said Verizon had two main options if it decided to use the hack as leverage in setting the terms of the deal.

“They could say, ‘This thing is huge. We want to walk away from the transaction,’” he said. Were Verizon to try to claim that the breach was so severe it was grounds to terminate the deal, it would have to prove that the hack amounted to a material adverse effect on the value of Yahoo.

Such claims can be difficult to prove in court. According to Mr. Quinn’s reading of the merger document for the deal, Verizon would most likely have to prove that certain high-level Yahoo employees were aware of the severity of the hack before the deal was agreed upon, and intentionally withheld that information."

Fortune reports, "Nonetheless, it would be very tough sledding to get a Delaware court to agree a so-called material adverse event had occurred, particularly given that evidence of reduced usage and related revenue declines, for example, would not be immediately available for quite some time."

1.21 When Yahoo knew has a large impact on the deal!

Quartz discusses whether Yahoo did or did not know about the breach they announced in September back in July, "In July, a well-known hacker who goes by the name “Peace” told Motherboard that he possessed 200 million Yahoo user details, which were going for 3 bitcoins a pop on a darknet market called TheRealDeal. Yahoo confirmed that it was “aware” of the claim at the time. 

This is the incident that Mayer was aware of in July, as the FT’s anonymous source says: “Marissa was aware absolutely—she was aware and involved when Peace surfaced this allegation in July,” according to the source.

The attempt to verify Peace’s claim then led Yahoo to discover the latest breach, of 500 million user records, according to the FT. Yahoo has attributed this hack not to Peace but to a “state-sponsored actor.” What’s not clear now is when Yahoo discovered the confirmed breach. It seems a safe bet that this discovery happened sometime after Peace made his claims in late July, which is also after the Verizon deal was clinched, on July 25."

NY Post, "Yahoo would have to pay some $145 million if the deal somehow falls apart and it is to blame. While the hack is “upsetting,” it isn’t clear “it is a material adverse change,” one big Yahoo shareholder told The Post."

What is unique in this case is that Verizon has a fairly advanced cybersecurity division. They are uniquely suited to investigate and determine the potential impact to the deal. That said, they have recently suffered their own breachA recent thread posted on a guarded cybercrime forum advertised a database containing contact information for roughly 1.5 million Verizon Enterprise customers for sale at $100,000 for the lot.

10/13/16 Business Insider reported "CEO Marissa Mayer kept secrets from key members of the security team".

1.4 When there is blood in the water sharks are sure to come. Many times when a company is in trouble, other allegations surface. Some of these are inevitable, others are lawsuits and similar hoping the company in trouble will settle.

1.4.1 Further damage by NSA spying news breach, 10/5/16 Reuters released a story that Yahoo searched incoming emails for US intelligence purposes. That would seem to be at odds with Yahoo's transparency policy. Slashdot reports, "The two former employees say that the decision Yahoo CEO Marissa Mayer made to obey the directive resulted in the June 2015 departure of CISO Alex Stamos, who left to work for Facebook." A Google search on 10/6/16 for "yahoo scanned emails" yielded 5.46M results. Fortune reports this could cause trouble with European customers. PredictWallStreet still does not appear to have priced the damage since the breach disclosure; 76% of the responders expect the price to go up. This is inline with the NSADAQ consensus of BUY. 10/5 and 10/6 YHOO closed at 43.71 and 43.68. EFF reports the specific instructions the government gave Yahoo may have to be disclosed. "Section 402 of the USA FREEDOM Act, passed in June 2015, specifically requires government officials to “conduct a declassification review of each decision, order, or opinion issued” by the FISC “that includes a significant construction or interpretation of any provision of law.” The Yahoo order would appear to fall squarely within this provision."

1.4.2 Mercury News reports Scott Ard a former executive that was fired has filed a lawsuit against Yahoo, because Marissa Mayer systematically sought to remove male employees.

1.4.3 Fortune reports Access Now, (international civil rights group) is interested in the email scanning issue.

1.4.4 NY Post has a fact free article that "Marissa Mayer’s days appear numbered as her company disappears"

2) What can we expect in terms of Yahoo's stock valuation? I have been pouring over the financial analysts reports and they seem to be oblivious to the impact of the breach, but I expect that will change. Is the bad news already priced into the stock price?  This may be an exception to an efficient market. After the merger announcement YHOO drifted up to 44.71 on September 6. Now, it is obviously drifting down, and closed September 26 at 42.29. That isn't necessarily surprising, not all data breaches have the impact that Target's did, (profits YoY -40%, earnings YoY - 46%, EPS $.81 down from $1.47, share price from about 70 to 56 now almost back to 70).

However, this is the mother of all data breaches. It is possible there isn't a quant model for something of this size.  According to Yahoo Finance :), 52 week range is 26.15 - 44.92 and 1 year target is 42.75 where they already are. So there is a lot more room for downside than upside.

10/13/16 Could be the quant models are starting to be adjusted. This chart shows a 5.24% drop, but also look at the trading spikes along the bottom, that can only happen with computer driven trading.

3) What are the general costs of a data breach? The IBM Ponemon 2016 study on data breach costs is probably the most authoritative. According to the study, the average cost is $4M, (compared to Target's 252M before insurance and tax write offs). The cost has increased 29% since 2013. In the United States the average cost per capita is $221, (221 x 500k = 110.5B more than 4x Target's final cost to top-bound this though free/non-revenue accounts arguably have lower value.).

USA Today has what I consider a more reasonable guesstimate, ""I would [ask for a pause] if I was the buyer," said Chris Bulger, founder of Boston tech advisory bank Bulger Partners. "I would consider this a materially adverse change (a factor that could allow a party to back out of a sale) until my lawyer said don’t worry about it."

Bulger estimates that Yahoo will likely have to pay at least $10 per user in reparations. That could amount to $5 billion — more than Verizon's $4.8 billion paying price — making Yahoo "worthless," he said."

3.1 Non-revenue doesn't necessarily mean free or of low value. A deal struck with AT&T 15 years ago allowed Yahoo users to manage their AT&T accounts from Yahoo mail. According to CNET, "The hack puts AT&T in an uncomfortable position. The company is still waiting for data from Yahoo on the specific customers who may have been affected, according to a person familiar with their dealings.

"We began investigating immediately and requested information from Yahoo necessary to determine which email accounts may have been compromised," the company said in a statement. "In the meantime, we are in the process of notifying potentially affected customers.""

3.2 Class action Law suits. The Hill reports a class action suit was filed in California.  USA Today reports two more. The Home Depot settlement, (50M users) was $19.5M, (less than forty cents per user). Target was $39M for 40M users. CNBC references a suit claiming gross negligence.

3.3 SEC investigation and/or fines.  In June 2016, the SEC announced Morgan Stanley agreed to pay $1M over an insider data breach of 730,000 customer accounts, about $1.37 per account.  Assuming that ratio, Yahoo's potential liability could be $685M.

3.3.1 SEC rules may need to be clarified, Reuters, "And the vagueness of SEC's 2011 rules on disclosure and its failure to enforce them are drawing equal attention, privacy lawyers and cyber security experts said."

3.4 Cost of business disruption. Fortune ran a Reuters story saying "many users" closed their Yahoo accounts. The number of active accounts presumably was a factor in the valuation, (on July 15 Yahoo started closing accounts that had not been used in a year). OCT 10 2016 ET reports that they disabled forwarding, so users have to use Yahoo to read their mail.

NOTE: Closing your Yahoo account may be more complex than you might guess. warns you could lose your other Yahoo services like Flickr and the account will still accept email for 90 days. SecurityWeek and TrendMicro disclosed changing the Yahoo password does not prevent your iPhone mail from accessing Yahoo because it has a permanent access credential.

According to Investopedia, "Yahoo’s core business has been slowly declining as the PC advertising and search engine space has come to be dominated by the likes of Google Inc. (GOOG) and Amazon (AMZN)." Depending on who you ask, recode, PR News, Marketing Land, Bloom Reach,  somewhere between 44% and 55% of all online product searches begin with Amazon.  After the breach, it is likely less people will use Yahoo.

4) What's next for Verizon?

If Materially Adverse Change
          Price reduction OR Verizon walks away, (and possibly makes an offer for Twitter*)
          It is going to be a long winter for Verizon

* Fortune magazine reports Twitter will probably be bought at around $27 per share. 10/23/16 maybe not it closed on Friday at 18.09 and can't seem to find a buyer. Motley Fool reports declined to make an offer.

4.1 This may be a blessing, combining AOL and Yahoo seems a bit like bows and arrows against modern weapons. Quartz has a pre-breach article claiming the merger will not end well.

5) Deja Vu. Operation Aurora 2009

Wikipedia reports Yahoo was targeted by Operation Aurora in 2009. Multiple sources, Darkreading, Security Affairs, Nextrio, mention they were targeted, but the impact is sketchy. SANS NewsBites reports, "A number of foreign journalists based in China are claiming their Yahoo email accounts have been hacked. The Foreign Correspondents Club of China (FCCC) has confirmed that eight journalists have had their Yahoo email accounts hacked including one that had a forwarding address added to the account. Yahoo has made no direct comment regarding the claims and says that it is "committed to protecting user security and privacy." Earlier this year the Google mail accounts of Chinese dissidents were targeted in an attack on Google. The FCCC is advising users to take care when using email, especially for sensitive issues, and warning people that "email does not appear to be secure in China, and that alternate means of arranging interviews and conducting other sensitive business are often preferable". "

Wednesday, September 21, 2016

The GIAC Advisory Board and its relationship to Linkedin

The GIAC Advisory Board is a mailing list. The price of admission is to score 90 or higher on a GIAC exam. In other words, it is a meritocracy.

It was created 15 years ago because the founder of the Global Incident Analysis Center, (er, uh, that too), but actually the Global Information Assurance Certification, realized that certification is hard and that GIAC would need a lot of help and advice to succeed and grow.

Over the years a number of things have happened. GIAC has grown. It is not the largest body of cybersecurity certifications in terms of credentials awarded; that is either ISC2 or CompTia depending on which reference source you use. GIAC is certainly the most comprehensive body of cybersecurity certifications and it is known for technical rigor, so scoring a 90 or above on one of the exams is a significant achievement.

The mailing list is private, to join members sign a Non-Disclosure Agreement. They help each other in a number of ways. In addition to commentary about SANS and GIAC processes, they share exam practice tests, help with insights to hard problems and even discuss security vendor products.

The list can get quite chatty when an interesting thread comes up, so many of the members use the digest mode, (which has its own issues). However, the members that remain on the list feel that the value is worth the trillions of electrons that laid down their life for the cause.

Through most of its life, the list has been both private and obscure, however in October 2015, it had a "coming out" party of sorts primarily on the LinkedIn social network. That state change led to the creation of this blog post, if you are looking at a profile and wonder: "What is the GIAC Advisory Board", here is the answer.

Linkedin is social media designed for professionals to interact. Many people have an account, but most don't use their account actively.  A common use is to find and apply for jobs. Recruiters, including technical recruiters also use Linkedin extensively to find talent. As the original author of MGT 512 and MGT 514, I have moved more away from being a packet ninja
to more of a management speaker. I try to stay in touch with my former students and help them when they need to find a new job, (that is a tough road to hoe when you are a middle aged middle manager). I have found Linkedin is the most effective tool for that task that I have in my toolbox.

One aspect of Linkedin is that it records the state of conversations over years. This provides a potential release from the "Dunbar number", (that you can only maintain about 150 relationships). Over the years, I have found Malcom Gladwell's Tipping Point to be a useful thought model. Brad Hunter explains the Law of the Few as well as I have ever seen it:

"The law of the few is a law about the structure of our social network and how messages are passed through word of mouth. It attempts to classify three important types of people who affect the rapid spread of messages through the network. These three types of people are connectors, mavens, and salesmen."

Word of mouth? Social media has really changed that concept. Word of keyboard? I am trying to collect examples of "perceptors", things that influence or attempt to influence our thinking and beliefs. You can't spend much time on Facebook or Linkedin without seeing something obviously fake like the story of Sgt. Gregory Hayes. I ignore such things on Facebook, I guess that is what it is there for, and unfollow people that post racist untruths on Linkedin. I still remember the first time I met someone that actually believed the photo of President Obama doing the pledge with the wrong hand. The man was convinced, even when I showed him the Snopes writeup.  This give me hope that the things we post will help shape a positive, more secure future.

I am going to try to explain how Linkedin can be used, (with a little elbow grease), for each role, (connectors, mavens, and salesmen).

     "Connectors are the socialites. They are people with many friends and acquaintances who spend time maintaining these connections. From the network perspective, these are the most central nodes in the social network. Gladwell devised a simple test which allowed him to determine that the number of connections a person has is measured by a power law. This means that connectors are rare in society, but they maintain many more times the number of relationships than the average person does. Because of their ability to spread a message to a huge number of people quickly, connectors are central to understanding how tipping points are reached."

Gladwell asserts connectors can exceed the Dunbar number and maintain over 150 active relationships. Every Thursday, I receive an email with the details of persons that scored over 85 on their GIAC exams and are being invited to the SANS Mentor program, (I created this program 16 years ago to help reduce the SANS Instructor shortage problem).

I look up each name on Linkedin. If they are a 3rd level connection, I use inmail congratulate them on their score and ask them to consider linking to me. If they are a second level connection, (we have at least one 1st level connection in common), I write to a common 1st level connection and ask for an introduction. If they are a 1st level connection I try to write and congratulate. This is very manual and takes about two hours a week, but in 2016, I crossed the 10k 1st connection milestone. They aren't all my Best Friends Forever and I am sure I am linked to a few fictitious persons, but this fuels my efforts to serve the community as a maven.

     Mavens are the information gatherers of the social network. They evaluate the messages that come through the network and they pass their evaluations on to others, along with the messages. We can view mavens as regulators of the network because they have the power to control what flows through the network. We trust mavens, and this is especially important because their assessments can often make or break the tipping of an epidemic. Mavens drive many of our social institutions. They are the people who inform the better business bureau, regulate prices, write letters to senators, etc. in order that the rest of us don't have to. Though Gladwell does not argue this explicitly, his description of mavens suggests that mavens can be specialized in areas of expertise and thus many of us may be mavens in our particular areas of interest.

Most people do not use Linkedin actively outside of job searching and recruiting and doing some Facebook style scanning. I try to use my account to share information and ask for information. I have been doing this for years. It has taken a lot of patience but I am finally escaping from the "land of small numbers".

If you have ever blogged, Facebooked, Tweeted etc, you probably notice that you commonly get 30 or maybe even 100 pageviews. That can be disheartening when you think about the hours of research and writing. Fifteen years ago when I was writing books like Network Intrusion Detection, (my co-author Judy Novak was the real reason for the success of that project), ten of thousands of people would read my posts and I was dumb enough to think it would always be that way.

If I write a blogpost on Yogi's training log an average of 18 people will read it. That doesn't bother me, I have to keep this as a record since he is actively in training as a service dog. If I post something on Facebook, I might get two dozen likes. This is what I call the land of small numbers. But Linkedin, for whatever reason, has more firepower. Last year I broke a thousand pageviews, (for a single post), for the first time. Now, with my larger network, it is not uncommon at all for a post or update; "word of keyboard". I try to post useful information, but I am also committed to using my network as a sales and marketing tool.

     "Salesmen are what the name implies. They are persuaders who are capable of propagating messages through the force of their character. Thus, regardless of the message content or their expertise in the area, they have a certain ability to sell which helps them move messages which may be of importance to them. This ability to persuade strangers to accept a message is why salesmen are important in tipping epidemics."

There is a section about sales in MGT 512. The point I try to make is that security does not sell itself, so we have to sell it. If we are going to sell then we need to understand the sales cycle. SANS has been kind enough to allow me to chair a conference, (hope to see you at Rocky Mountain 2017 :), each year. This allows me to keep working on these skills. Direct paper mail and email advertising are only so effective, we know, we measure everything. Linkedin word of keyboard lets me reduce my reliance on these tools.

The GIAC Advisory Board is another tool that I am very thankful for. I have asked for help many times and have tried to give help as well. We suggest that new members post their Linkedin URL and hope they will be open to linking with other Advisory Board members. For myself, for all the reasons I have mentioned this is synergistic. For other people, especially those who don't use Linkedin this is a distraction. Two suggestions:

  • Turn on digest mode if you haven't. This way, during a "Linkedin flurry", you can easily see which posts you want to look at. SANS really can't filter out Linkedin URLs because some people want to see them.
  • Think a bit about the connector, maven, salesperson model. There is no need to be in a hurry to build a Linkedin network, but it is a good idea to do BEFORE you are looking for your next career opportunity.
If you read this far, bless you! Don't be shy about asking to use my network, that is what it is here for. If you are having a hard time filling a job position, I would like to help you get the word out. If you took the time to research something and wrote a blogpost, I would love to put out an update with the URL. And if you are on Linkedin and on the GIAC Advisory Board, please put that in your profile. We aren't Jedi knights or any such thing, but it is something to be proud of; every month or so I get a note from someone saying, "durn it, I scored an 88".

Tuesday, September 20, 2016

How to select a cybersecurity graduate school

Upfront disclaimer, I am biased. I am the chair for SANS Rocky Mountain 2017 and Director of Academic Advising for the SANS Technology Institute. That said, I am going to try to offer a range of thoughts from many sources.

This all started when I received an email from the Senior Editor: at (, recommending their website as a resource.

I went to their website and it looks pretty good and seems to be balanced. But it got me thinking. What if I enter the search string "how to select a cybersecurity graduate school" into Google.

The top ranked, non-ad, site for that query is the University of San Diego.  They offer commonsense advice, There are a number of factors to consider, including school reputation, teacher caliber, cost and curriculum that can help you narrow down your options.

And they ask an important question, (that I do not think they really answer), So how do you determine what schools have the best reputation in your field?

The number two hit was listing the 25 best online programs. According to them the top three are Penn State, Northeastern, and Boston University. This is clearly proof that the Northeast coast rules the cybersecurity roost. BZZT.

Next up,, with Regis, Capella and Syracuse. They look even less believable. Sigh.

Let's change the search string to simply "cybersecurity graduate school".

The top ranked, non-ad, site for that query is, they have a filter system and run a number of scripts on your browser, the rank is Kaplan, Syracuse, University of Delaware.

The number two hit was a CSO article and their top three were: American Military University, Carnegie Mellon, and Fordham. At this point, I am fairly sure that everyone but the University of San Diego is making this stuff up.

OK, let's try for some ground truth, for each top 3 school let's Google the name of the school and the word cybersecurity and put them in rank order. I am also going to add Norwich and Purdue because I am familiar with their programs and SANS.

American Military University 1.26M
University of San Diego 980k
University of Delaware 829k
Boston University 770k
Penn State 598k
Northeaster 372k
Purdue 321k
SANS Technology Institute 312k
Carnegie Mellon 302k
Kaplan 262k
Syracuse 224k
Norwich 181k
Regis 137k
Fordham 121k
Capella 71.4k

My next step is to reply back to Shaun McKay, Senior Editor and ask for his take.